getgrav/grav Security Advisories for 2.0.0-beta.1 (14)
-
[HIGH] Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()
PKSA-jw9z-qj9h-1drk CVE-2026-44738 GHSA-j274-39qw-32c9
Affected version: <=2.0.0-rc.1
Reported by:
GitHub -
[HIGH] Low-privileged Grav API users can create super-admin accounts via blueprint-upload
PKSA-jtpz-17pm-t9v9 CVE-2026-42844 GHSA-6xx2-m8wv-756h
Affected version: <2.0.0-beta.4
Reported by:
GitHub -
[HIGH] Grav is Vulnerable to Stored XSS via Tag Injection
PKSA-sd9s-hpbv-6d8f CVE-2026-42611 GHSA-w8cg-7jcj-4vv2
Affected version: <2.0.0-beta.2
Reported by:
GitHub -
[MEDIUM] Grav is Vulnerable to XXE via SVG Upload
PKSA-59xg-9744-g5wz GHSA-3446-6mgw-f79p
Affected version: <2.0.0-beta.2
Reported by:
GitHub -
[HIGH] Grav has Unauthenticated Path Traversal & Arbitrary File Write in its FormFlash component
PKSA-ncnf-tf1t-zhtj CVE-2026-42608 GHSA-hmcx-ch82-3fv2
Affected version: <2.0.0-beta.2
Reported by:
GitHub -
[HIGH] Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic
PKSA-fchw-jdvj-kg96 CVE-2026-42609 GHSA-rr73-568v-28f8
Affected version: <2.0.0-beta.2
Reported by:
GitHub -
[LOW] Grav has Insecure Deserialization in File Cache
PKSA-t2z1-v63n-9cpk CVE-2026-7317 GHSA-gwfr-jfjf-92vv
Affected version: <2.0.0-beta.2
Reported by:
GitHub -
[CRITICAL] Grav has multiple RCE vectors: unsafe unserialize (x3), command injection in git clone, SSTI blocklist bypass
PKSA-vnvp-8nvk-g8ck GHSA-vj3m-2g9h-vm4p
Affected version: <2.0.0-beta.2
Reported by:
GitHub -
[HIGH] Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes
PKSA-dxs6-j3rv-n16d CVE-2026-42612 GHSA-9695-8fr9-hw5q
Affected version: <2.0.0-beta.2
Reported by:
GitHub -
[MEDIUM] Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass
PKSA-69wb-mt3g-24xp CVE-2026-42610 GHSA-3f29-pqwf-v4j4
Affected version: <2.0.0-beta.2
Reported by:
GitHub -
[CRITICAL] Grav Vulnerable to Privilege Escalation via Missing Server-Side Validation of groups/access
PKSA-pzhx-ftqg-8fxh CVE-2026-42613 GHSA-pxm6-mhxr-q4mj
Affected version: <2.0.0-beta.2
Reported by:
GitHub -
[MEDIUM] Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel
PKSA-ddbz-4vx4-q29g CVE-2026-42842 GHSA-c2q3-p4jr-c55f
Affected version: <2.0.0-beta.2
Reported by:
GitHub -
[MEDIUM] Grav CMS vulnerable to stored XSS via Markdown media attribute() action
PKSA-yx72-zyj1-gtxy CVE-2026-42841 GHSA-r7fx-8g49-7hhr
Affected version: <2.0.0-beta.2
Reported by:
GitHub -
[CRITICAL] Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature
PKSA-st6r-p3js-kbk7 CVE-2026-42607 GHSA-w48r-jppp-rcfw
Affected version: <2.0.0-beta.2
Reported by:
GitHub